![Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference show](https://d3dthqtvwic6y7.cloudfront.net/podcast-covers/000/047/395/small/black-hat-briefings-las-vegas-2006-video-presentations-from-the-security-conference.jpg)
Summary: "Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation. Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface. If we go back to the "three stages model" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system. Most defenses have evolved to prevent malicious data from entering the system. This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems. Attack and defense methodologies based on years studying core technologies and real software systems will be presented. Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC Partners, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Scott has previously presented at conferences such as Black Hat USA, OWASP, and the Software Security Summit. He holds a BS in Computer Engineering from the University of Notre Dame."
